Review: Yubikey Authentication Device

14 Comments

As anyone who knows me well will tell you, I’m kind of a security geek.  I’m fascinated by encryption, data protection, strong passwords, and generally locking things down just because I can.  For a long time there was a challenge with some of my friends to see if any of them could get into my computer, or at the very least figure out one of the 4 passwords required to boot it up to a desktop.  So when I found out about Lastpass & started using it, I was pretty excited.  A service that fully encrypts all my passwords, allow me to generate strong, unique passwords for every site I use, and syncing to the cloud (my other tech passion) – what could be better?  Well imagine my excitement when I found out that there was a device that could make not only Lastpass exponentially more secure & at the same time easier to use, but anything I did requiring a password!  Enter the Yubikey.

“Christiaan, we’re not all geeks like you.  Why would I ever want this thing?”

Great question, and I’ll tell you why.  If you’re like a lot of people these days, a large majority of your life is stored electronically.  Some of it is online with Google, Facebook, Flickr, etc. and some of it is on your own computer.  It makes life very convenient, and in many ways a lot of fun.  However, without some good strong passwords to protect all that information, you’re leaving yourself very vulnerable to people who may be ill-intentioned.

If you’re someone who keeps a little book, cheat sheet or a bunch of Post-Its with your passwords written down (or you use the same password for your bank as you do for Facebook) you’re also leaving yourself incredibly vulnerable & you should definitely take a look at my review of Lastpass.

Now we’ve all heard it before: “make sure you use passwords with random letters, numbers & symbols and never use a word somebody could guess!”  That’s all well & good, but let’s be honest: passwords are hard enough to remember as it is without having to add in gibberish.  This is where the Yubikey comes in.  It generates very long (mine is set to 54 characters), randomly generated passwords that you can use in conjunction with something you can actually remember.  When combined, you finally have that password the security people tell you to have.  The best part: all you have to do is push a button!  It also features One Time Password technology (the primary feature of the device, actually) which I’ll explain later.

So the bottom line on why you should keep reading this post, and why I think you ought to have one: it’s as simple to use as it is incredibly secure.

The Device Itself

First off, let’s look at the actual hardware.  This thing is small.  I mean, it’s noticeably smaller & lighter than your average flash drive.  I keep it on my keychain (which is notoriously sparse) and don’t notice it at all.

As you can see, quite small and also quite thin.

Don’t think that it’s fragile though.  It’s made from strong plastic, and is sealed to be water resistant.  Notice how the USB tab doesn’t look like the one on your flash drive, with the normal rectangular metal plug?  That’s because those are breakable, and leave the drive open to water damage.  On the Yubikey the USB contact strips, as well as the touch-sensitive activation button, are integrated right into the plastic body.  Mine has been through the laundry a couple of times, had drinks spilled on it, and even been dropped in a puddle – none of which even began to phase it.  As you can see in the pictures mine has managed to accumulate a few scratches & dents along the way, but they don’t affect it one iota.  This thing is tough.

“So if I plug it into my computer that means drivers and a headache, right?”

More good news!  When you plug in the Yubikey, your computer will recognize it as a USB keyboard.  This is awesome, because I’m not exaggerating when I say that USB keyboards are probably the most universally supported computer accessory in the world.  Everything supports them, with no software or outside drivers needed.  Just plug this thing in & go.  Like I said earlier, it’s simple.

The other cool thing about this is, when you press the button to use it, the Yubikey “types” the entry into the password field, and you’ll see a whole bunch of dots suddenly fly across the screen.  It’s like watching the world’s fastest typist or something.

Setting It Up

Some of this continues down the path of K.I.S.S. and some of it is not quite so straightforward – but before you get dismayed, don’t worry!  I’ve written a post that explains step by step & in-depth exactly how to configure your Yubikey for optimum security & simplicity.  Now, if you’re only planning to use it with Lastpass or other One Time Password compliant services, then it’ll be ready to go the second you take it out of the box, no device configuration required.  However, if you want to maximize your use of it & really secure your passwords all around, that’s what I’ll be explaining.  Check back for that post, I’ll put a link right here once it’s up.

What I will say at this juncture is the more complicated aspect is a one-time process.  You do it as soon as you get your Yubikey, and you NEVER have to do it again (unless, of course, you decide you want to for whatever reason).  In any other place where you’d be setting up the Yubikey for use with various services (such as Lastpass), that service will walk you through exactly what to do, which usually only consists of pushing the button.  Simple.

Using It

Let’s all say it together: Siiiiiiiiiiimmmmple.  Just stick it into the USB port on your computer, and when a service you’ve set it up with prompts you for your Yubikey you just hold your finger on the button for one second, release, and you’re done.

You’ll know when you’ve got it inserted the right way & that it’s ready to be used when the LED in the center of the button lights up green, like this:

Only one end of it fits in the computer, and if it doesn’t light up the first time flip it over.  It really is no more difficult than that.

The way I have mine set up is with a static password (one that never changes), which I use in combination with a password I remember & type in to form a very secure Windows password.  I also have it set up to do One Time Password for logging into Lastpass, which I mentioned at the beginning.

One Time Password (OTP) is pretty much what it sounds like: each password is only used one time, ever.  Basically, when you push the button on the Yubikey, it generates an instance of OTP.  The first 12 characters are always the same, as a way for it to identify itself.  The rest of the password (very long & ugly) is totally random, and never repeated – ever.  Once it generates the OTP, it sends it to whatever service requested it, such as Lastpass.  That service then checks that password against its own records, to see if it makes sense for that device.  If it does, it then sends it along to a central authentication server, which also checks to make sure that password makes sense for your device, as well as verifying that the sending service (i.e. Lastpass) is authorized to authenticate with this device.  If all this stuff checks out, you’re logged in.  If it sounds complicated, that’s because it is, and it’s actually far more complex than I just explained.  However, you don’t need to worry about ANY of that in order to use it, I just wanted to demonstrate how secure One Time Password is.

In addition to all the verification procedures & checks that One Time Password offers, there’s another major benefit.  If you’re using a computer on which some unscrupulous person has set up a keylogger to gather people’s usernames & passwords, OTP foils their attempts.  Since they’ll log a password that can never be repeated, it makes their data totally useless & keeps you 100% protected.  Take that, criminals!

Plus, don’t forget: all of this happens when you just push one button, and let it do the rest.

Final Thoughts

At this point I’ve had my Yubikey for about 6 months, and I can’t imagine living without it.  It’s made me so much more confident in & comfortable with my personal cyber security, and at the same time made being secure easier than it ever was before.  I honestly can’t think of a single thing I’d change about it (OK, maybe the initial configuration – though that’s truly not hard) and recommend it to everyone, period.  I have my 85 year-old grandfather set up with one to simplify his computer using experience & keep him safe on the computer, and I couldn’t have kept him this secure & still allow him to go about his business any other way.

I give the Yubikey a 9 out 10.  If you want to get one, you can order it at the Yubikey web site.

Order a Yubikey Configure Your Yubikey

Full disclosure: the link contains my affiliate code, which gives me a few cents of any Yubikey purchased from it.  It’s not much & the price is the same whether you use that link or go directly to the store, but it helps offset the cost of running this site a little bit.  I’d appreciate it if you use the link above, but most importantly I just really think it’s a great product & think everyone should get one.

Yubikey Photo Gallery

  • Pingback: Review: LastPass Password Manager

  • Hayden

    As universal as keyboards are, i wonder if this key will work with an iPad. The USB camera kit is known to accept keyboards. I see that there is a word press plugin for the key available. If I get this key and use it to authenticate on my own blog, I could prevent myself from logging on through an iPad, iPhone, or any other device which potentially might not recognize the key.

  • http://www.christiaanconover.com/ Christiaan Conover

    Great point! I don’t own an iPad so I’m not sure about using a Yubikey with one. I’d recommend getting a Yubikey & testing it out with the iPad before enabling the plugin though. If you do end up trying it, definitely let us know how it works out!

  • Phil212

    In using Yubikey with Last Pass –
    1. What if its lost or stolen – can you recover?
    2. Can you set up two Yubikeys (one for me and one for wife)?

  • http://www.christiaanconover.com/ Christiaan Conover

    If your Yubikey is lost or stolen, Lastpass offers the ability to authenticate without it. When the prompt comes up to enter the Yubikey password, there’s a link you can click on if you don’t have access to your Yubikey. Lastpass will then require you to go through authentication procedures to verify your identity & then revoke access to your account using that Yubikey.

    Lastpass does also support multiple Yubikeys per account (I believe the default is 5, and can’t remember if there’s the option to add more). So, if you and your wife are sharing a Lastpass account you can both have separate Yubikeys & still be fine.

  • Lisa Arthur

    Thanks for a really good review, im more than happy to click on your affiliate link and purchase. One question – do you need to keep the key in all of the time or do you put it in and then take it out once you have access? I read the main website and it doesnt say there either. Im asking because my mac only has two USB ports of course!

    Thanks

  • http://www.christiaanconover.com/ Christiaan Conover

    @a5151c92b0896fdffbe5ae342ac379a3:disqus I’m glad you enjoyed my review! You do not need to keep it plugged in, it only needs to be in when you actually authenticate.

    As a side note: you mentioned you have a Mac, so just to give you a heads-up: the Yubikey works 100% with Mac (it’s just a keyboard as far as the computer is concerned) but when you first put it in, Mac OS will ask you to identify what type of keyboard it is. When it asks you to press a key on the keyboard, just tap the button. It will then say it doesn’t recognize it and to choose the type manually. Choose “ANSI (United States)” and you’ll be good to go. This will only happen the first time you insert it; the computer will recognize it every time after that.

    Hope that helps!

  • Robert Ryan

    Christiaan, I am looking for a password manager and one feature important to me is using it with an Android phone.  How would that work with a Yubikey?  The device has a mini usb port, but the Yubikey would not fit.

  • Anonymous

    Christinaan, thanks for the review.

    I’m interested in how you set the Yubikey up. I guess you didn’t had the time to make a follow-up post about the setup procedure. Perhaps you can put some links down here pointing to relevant information.

  • http://www.christiaanconover.com/ Christiaan Conover

    @DrunkenNinja:disqus I am working on the follow-up post, thanks for the reminder.  I’ll try to get that done in the next couple of days.

  • http://www.christiaanconover.com/ Christiaan Conover

    If you use LastPass with their mobile app, the Yubikey isn’t required to authenticate via mobile.  You can use the Yubikey with computer-based authentication, and still access your password manager on your phone.  That’s how I do it since I use an Android phone as well.

  • http://www.christiaanconover.com/ Christiaan Conover

    I’ve completed the configuration tutorial, which you can find here: http://christiaanconover.com/yubikeyconfig

  • Nosegravy

    Have you looked into to RFID unit? Also I noticed the egular one can be bundled with lastpass. Can the RFID one be bundled as well? What would the benefit of RFID?

  • http://www.christiaanconover.com/ Christiaan Conover

    I actually have an RFID-enabled Yubikey, which I bought a couple of months ago and am now using as my primary device (my old Yubikey is in my safe as a backup). The RFID Yubikey is identical to the standard Yubikey. The only difference is that, in addition to all the normal features, it can also be used with RFID systems. I haven’t used the RFID component yet as I don’t have anything with which to use it, but the standard Yubikey elements work flawlessly. I’d recommend getting the RFID one, if for no other reason than you’ll have that feature if you ever need or want to use it.